Bitcoin Forum
November 09, 2024, 05:10:44 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Hacked but would like to know what happened  (Read 2474 times)
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 09:53:36 AM
 #1

Hello all,

So for a while I had been away and came back to find a wallet emptied. You can see how quickly it happened here:
http://106.187.103.143/address/1LNFx7QQkpmam9jLjpyd52QqiVfahix9gQ

I move some Bitcoin in. 20 minutes later is off to Germany (I assume a VPN, etc.). I see it then splits off to a bunch of wallets. I then see it goes on a bit of a journey of fragmentation.

OK, I am no fool. It is lost. However, is there any way for me to at least understand the nature of such an attack. To your eyes is this some lone wolf or something more sophisticated.

Frankly I think this means I am done with Bitcoin. I've been super safe for years, but then in 20 minutes someone manages to relieve me of roughly 500e in Bitcoin.

I use electrum.
jl2012
Legendary
*
Offline Offline

Activity: 1792
Merit: 1111


View Profile
June 10, 2015, 09:57:48 AM
 #2

Hello all,

So for a while I had been away and came back to find a wallet emptied. You can see how quickly it happened here:
http://106.187.103.143/address/1LNFx7QQkpmam9jLjpyd52QqiVfahix9gQ

I move some Bitcoin in. 20 minutes later is off to Germany (I assume a VPN, etc.). I see it then splits off to a bunch of wallets. I then see it goes on a bit of a journey of fragmentation.

OK, I am no fool. It is lost. However, is there any way for me to at least understand the nature of such an attack. To your eyes is this some lone wolf or something more sophisticated.

Frankly I think this means I am done with Bitcoin. I've been super safe for years, but then in 20 minutes someone manages to relieve me of roughly 500e in Bitcoin.

I use electrum.

The computer with your private key is compromised. Period.

If you are not using offline wallet function of Electrum, you are not super safe.

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 10:02:22 AM
 #3

Hello all,

So for a while I had been away and came back to find a wallet emptied. You can see how quickly it happened here:
http://106.187.103.143/address/1LNFx7QQkpmam9jLjpyd52QqiVfahix9gQ

I move some Bitcoin in. 20 minutes later is off to Germany (I assume a VPN, etc.). I see it then splits off to a bunch of wallets. I then see it goes on a bit of a journey of fragmentation.

OK, I am no fool. It is lost. However, is there any way for me to at least understand the nature of such an attack. To your eyes is this some lone wolf or something more sophisticated.

Frankly I think this means I am done with Bitcoin. I've been super safe for years, but then in 20 minutes someone manages to relieve me of roughly 500e in Bitcoin.

I use electrum.

The computer with your private key is compromised. Period.

If you are not using offline wallet function of Electrum, you are not super safe.


Cheers, I expected as much. Ugh. But yes, it is the only way they could do it right? They would not even have needed the private key, but simple a RAT to execute the transaction. Lesson learned.
spartacusrex
Hero Member
*****
Offline Offline

Activity: 718
Merit: 545



View Profile
June 10, 2015, 10:14:09 AM
 #4

Windows / Mac / or Linux ?

Life is Code.
zamanpurba
Full Member
***
Offline Offline

Activity: 128
Merit: 100


View Profile
June 10, 2015, 10:18:14 AM
 #5

ohh...sad for your loss..

recently heard a guy hacked a members account just chatting with him on Skype and a man writing something secretly in arabic about selling databases..i dont know what the hell is going..i will suggest you to keep all the amount of btc in deep-freezer and hide your private key very secretely.

thank you.
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 10:19:35 AM
 #6

Windows 8 machine hence the small amount on there. I don't consider it a major loss and granting it's a Windows machine am hardly surprised. I'll do a few scans and then clean install. The former I am just curious about. There's no especial time when I've been not careful even on this machine.
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 10:20:49 AM
 #7

ohh...sad for your loss..

recently heard a guy hacked a members account just chatting with him on Skype and a man writing something secretly in arabic about selling databases..i dont know what the hell is going..i will suggest you to keep all the amount of btc in deep-freezer and hide your private key very secretely.

thank you.

I do normally. This is the money I just like to have on my Windows wallet for general use. I don't keep anything substantial on the same machine.
Amph
Legendary
*
Offline Offline

Activity: 3248
Merit: 1070



View Profile
June 10, 2015, 10:24:34 AM
 #8

nothing suspicious among the process on the task manager? some unknown folder in the local or %appdata% path?

what netstat -on say? you should have checked those before formatting

but it could always be a hidden rat or rootkit or something else
ragi
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500



View Profile
June 10, 2015, 10:24:52 AM
 #9

Was your Electrum encrypted? Portable or standalone version? Are you sure this 14HXNqSefPtNfDyHtfeMv1Hngx3W5JfgW6 is not a change address?

Do you have Teamviewer on your machine by any chance?

no.
Trouble821
Full Member
***
Offline Offline

Activity: 176
Merit: 100


View Profile
June 10, 2015, 10:30:54 AM
 #10

What antivirus software and firewall are you using, and are you using the firewall's default settings or your own custom settings?

Some firewalls aren't much good unless you use your own extremely strict custom settings. Windows built in firewall is almost useless.
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 10:31:14 AM
 #11

nothing suspicious among the process on the task manager? some unknown folder in the local or %appdata% path?

what netstat -on say? you should have checked those before formatting

but it could always be a hidden rat or rootkit or something else

Nothing suspicious though I'm doing a bit of a hunt now (I have no reformatted yet as there is now nothing on the machine worths stealing).

I'm going through everything now to see what may about rootkits.
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 10:33:13 AM
 #12

Was your Electrum encrypted? Portable or standalone version? Are you sure this 14HXNqSefPtNfDyHtfeMv1Hngx3W5JfgW6 is not a change address?

Do you have Teamviewer on your machine by any chance?

Encrypted yes, albeit with a password only for it, I am not sure about it being a change address. It looks from the blockchain like a deliberate move of Bitcoin movement from someone and I do not use a German VPN.

No Teamviewer though I may come back to you all on that.
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 10:34:05 AM
 #13

What antivirus software and firewall are you using, and are you using the firewall's default settings or your own custom settings?

Some firewalls aren't much good unless you use your own extremely strict custom settings. Windows built in firewall is almost useless.

It's about as locked down as a Windows machine can get so they were determined or were waiting a while to get me.
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 10:41:27 AM
 #14

Was your Electrum encrypted? Portable or standalone version? Are you sure this 14HXNqSefPtNfDyHtfeMv1Hngx3W5JfgW6 is not a change address?

Do you have Teamviewer on your machine by any chance?

Actually this change address could be a possibility. Let me check. Need to be careful here.
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 11:06:47 AM
 #15

OK, yes, so I guess my security is better than expected. The 1BTC I must have spent. The change address wallet still has it's amount. I just need to do the boring recovery part now. Thanks all.
ragi
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500



View Profile
June 10, 2015, 11:09:55 AM
 #16

What does your Electrum balance says? Bottom left. Also the transaction is first relayed by German IP, but that does not mean this is the person who took it.

Did you send 1BTC before all that happened?

no.
ragi
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500



View Profile
June 10, 2015, 11:12:26 AM
 #17

OK, yes, so I guess my security is better than expected. The 1BTC I must have spent. The change address wallet still has it's amount. I just need to do the boring recovery part now. Thanks all.
Glad everything worked out! It's not boring, nor recovery. They are still safe in the change address, if you want them out of it, just send them to another.

You can disable change addresses from options if you don't want to be confused in the future.

no.
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 11:13:19 AM
 #18

What does your Electrum balance says? Bottom left. Also the transaction is first relayed by German IP, but that does not mean this is the person who took it.

Did you send 1BTC before all that happened?

Checking now. It's possible someone has stolen the private key. And yes, I believe now I must have. I reviewed my records and sent 1 BTC to Bitfinex on that day. Just trying out the change wallet address now. Still awaiting regeneration from seed.
pbleak (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001


View Profile
June 10, 2015, 11:14:10 AM
 #19

Thanks. I am positive it was an error on my part. Fixable hopefully!
neoneros
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


I can draw your avatar!


View Profile WWW
June 10, 2015, 11:37:18 AM
 #20

Hacked by confusion. So nothing is lost after all?

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!